Download PDF - Robinson, Bradshaw and Hinson
Download PDF - Robinson, Bradshaw and Hinson
Download PDF - Robinson, Bradshaw and Hinson
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
INTELLECTUAL<br />
PROPERTY<br />
ARTICLE<br />
J U N E 2 0 0 8<br />
FTC Consent Decree Clarifies Data Security St<strong>and</strong>ards<br />
k<br />
By John M. Conley <strong>and</strong> Robert M. Bryan<br />
What type of data security plan is a business legally required to adopt to protect personal information that it<br />
collects on its website? While this seems like a basic <strong>and</strong> straightforward question, the answer has never been clear<br />
for businesses operating in the United States. That may be starting to change.<br />
The main reason for the uncertainty has been the lack of a controlling law that directly addresses this question on<br />
a nationwide basis. Instead, we are governed by a patchwork of federal <strong>and</strong> state laws. Federal privacy laws tend<br />
to be sector-specific -- for example, HIPAA for health care, Gramm-Leach-Bliley for financial services <strong>and</strong> the<br />
FCRA <strong>and</strong> FACTA for consumer credit transactions. Different agencies enforce the privacy rules applicable to different<br />
sectors, <strong>and</strong> the definitions of who is covered under these various provisions are still evolving. While many of the<br />
general principles carry over from industry to industry, the specific rules vary greatly. In addition, many<br />
companies do not operate in any of the covered sectors. On the state side, most states have now followed<br />
California’s lead in enacting legislation that targets identity theft in several ways (such as notice of data security<br />
breaches <strong>and</strong> protection of social security numbers), but none of these laws impose general requirements of data<br />
security. On top of all of this, the major credit card associations are implementing contracts with their<br />
participating merchants that require the merchants to be more vigilant <strong>and</strong> impose liability for security breaches<br />
on merchants rather than issuing banks.<br />
While we are still far from having a comprehensive answer to this question for the operators of websites, we now<br />
have some guidance on the minimum required steps from a surprising source: Section 5 of the Federal Trade<br />
Commission Act, which prohibits unfair or deceptive trade practices. Although the Act was enacted long before<br />
anyone worried much about privacy, it may be evolving into the closest thing that we have to a national privacy<br />
law. The act is enforced by the FTC itself, not private parties. While the FTC has never imposed particular<br />
substantive privacy requirements on companies in the past, it has consistently taken the position that a company<br />
that makes representations to the public about its privacy policies must live up to those promises <strong>and</strong> that the<br />
failure to do so may be treated as an unfair or deceptive trade practice.<br />
1
A new consent decree helps to clarify just what this means <strong>and</strong> takes the first step towards more generally applicable<br />
substantive st<strong>and</strong>ards. (A consent decree is a judgment agreed to by the FTC <strong>and</strong> a company that it is proceeding<br />
against.) The defendant was an online retailer called “Life is Good” (www.lifeisgood.com), who conducted a fairly<br />
typical online business. In the course of its sales activities, the company collected consumers’ names <strong>and</strong> addresses<br />
<strong>and</strong> the account numbers, expiration dates, <strong>and</strong> security codes of their credit cards. The challenged privacy policy<br />
was also fairly generic, stating that “We are committed to maintaining our customers’ privacy. We collect <strong>and</strong> store<br />
information you share with us . . . All information is kept in a secure file <strong>and</strong> is used to tailor our communications<br />
with you.” According to the FTC, Life is Good violated this promise in several ways, including by storing credit<br />
card information in clear, readable text; by retaining credit card security codes; by failing to assess its vulnerability<br />
to foreseeable hacker attacks; <strong>and</strong> by failing to use available security <strong>and</strong> monitoring techniques.<br />
The consent decree requires Life is Good to implement a “comprehensive information-security program.” The<br />
program must include the designation of employees to coordinate security protection; the identification of internal<br />
<strong>and</strong> external security risks; the creation <strong>and</strong> implementation of appropriate safeguards against those risks; the<br />
monitoring of the safeguards’ effectiveness; the oversight of service providers that have access to personal<br />
information from Life is Good’s customers; <strong>and</strong> the evaluation of the program’s overall efficacy.<br />
On a practical level, it seems fair to assume that the FTC believes that all of these elements are necessary to fulfill<br />
a general commitment to “maintaining our customers’ privacy” <strong>and</strong> keeping their personal information “in a secure<br />
file.” Thus, any company that has any kind of privacy policy should probably be doing all of these things. The<br />
FTC has made available a useful guide that describes an acceptable security program in more detail at<br />
http://www.ftc.gov/infosecurity/. While this booklet does not technically have the force of law, it does seem to<br />
reflect the FTC’s thinking about how its general rules should be applied, <strong>and</strong> it provides a workable outline for any<br />
company interested in adopting a reasonably priced data security program.<br />
The FTC action does not relieve any business from the obligation to comply with more extensive industry-specific<br />
or state requirements. Nevertheless, it is a useful first step in bringing some level of certainty <strong>and</strong> consistency to<br />
this area.<br />
<strong>Robinson</strong>, <strong>Bradshaw</strong> & <strong>Hinson</strong>, P.A. is a corporate <strong>and</strong> commercial law firm with more than 125 attorneys. The firm has offices in<br />
Charlotte <strong>and</strong> Chapel Hill, North Carolina, <strong>and</strong> Rock Hill, South Carolina. For over forty years, the firm has consistently provided<br />
innovative solutions to its clients’ business needs from both a legal <strong>and</strong> practical perspective. The firm serves as counsel to public <strong>and</strong><br />
closely held corporations operating in domestic <strong>and</strong> foreign markets; limited liability companies; limited <strong>and</strong> general partnerships;<br />
individuals; municipal, county <strong>and</strong> state agencies; public utilities; health care institutions; financial institutions <strong>and</strong> tax-exempt<br />
organizations. For more information on <strong>Robinson</strong>, <strong>Bradshaw</strong> & <strong>Hinson</strong>, please visit our Web site at www.rbh.com.<br />
2